diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:25:34 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:25:34 +0000 |
| commit | 230d5cfc4739bc4963c8d67e4a7cd84abe53ef93 (patch) | |
| tree | 0fa8d138ed251e873bd55a4e7b402fbdd9f57488 /src/backend/commands/schemacmds.c | |
| parent | 0776cb2116f4eaec743f1e304c1255c318a20d1f (diff) | |
| download | postgresql-230d5cfc4739bc4963c8d67e4a7cd84abe53ef93.tar.gz postgresql-230d5cfc4739bc4963c8d67e4a7cd84abe53ef93.zip | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/backend/commands/schemacmds.c')
| -rw-r--r-- | src/backend/commands/schemacmds.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c index 2d184727a99..162dabf3244 100644 --- a/src/backend/commands/schemacmds.c +++ b/src/backend/commands/schemacmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.16 2003/08/04 02:39:58 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.16.4.1 2008/01/03 21:25:33 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -46,9 +46,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) const char *owner_name; AclId owner_userid; AclId saved_userid; + bool saved_secdefcxt; AclResult aclresult; - saved_userid = GetUserId(); + GetUserIdAndContext(&saved_userid, &saved_secdefcxt); /* * Figure out user identities. @@ -71,7 +72,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) * (This will revert to session user on error or at the end of * this routine.) */ - SetUserId(owner_userid); + SetUserIdAndContext(owner_userid, true); } else { @@ -151,7 +152,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) PopSpecialNamespace(namespaceId); /* Reset current user */ - SetUserId(saved_userid); + SetUserIdAndContext(saved_userid, saved_secdefcxt); } |